Share via

How do I migrate from on-prem AD authentication to cloud-only authentication?

Robin 0 Reputation points
2026-01-14T21:32:36.0733333+00:00

We’re planning to move away from on-prem AD authentication and want users to authenticate directly against Entra ID.

What’s the recommended migration path without disrupting user sign-ins?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VEMULA SRISAI 13,030 Reputation points Microsoft External Staff Moderator
    2026-01-14T21:52:39.03+00:00

    Hello Robin,

    It sounds like you're looking to migrate your users from on-premises Active Directory (AD) authentication to using Microsoft Entra ID directly. That can be a significant change, but with careful planning, it can be done smoothly without disrupting user sign-ins. Here’s a recommended migration path you might consider:

      1. Assessment of Current Configuration:
        • Check if you're currently using Per-user MFA and Self-Service Password Reset (SSPR) policies. You can do this through the Entra portal under Identity > Users and Identity > Protection.
        • Note what methods are being used for MFA and SSPR as you'll want to map them to new authentication methods.
      2. Change Migration State:
        • Set the migration state to "migration in progress" in the Entra portal under Identity > Protection > authentication methods > manage migration.
      3. Configure New Authentication Policies:
        • Map your existing MFA and SSPR methods to the new authentication methods in Entra. Review the legacy policies and define corresponding modern methods. For example, replace "Text message to phone" with "SMS" in the new Authentication method policy.
      4. Testing:
        • After configuration, monitor for issues by testing MFA and password resets with a user account that has the new methods applied. Ensure that users can sign in and access resources without issues.
      5. Disable Legacy Methods:
        • Once you're confident in the new setup and have resolved any issues, you can disable the legacy authentication methods. Make sure to conduct another round of testing to verify everything is working.
      6. Finalize Migration:
        • Change the migration state to "Migration complete" in the Entra portal. This will finalize your transition to the new authentication system.

      Ongoing Monitoring:

      Keep an eye on user feedback for a week or two after the migration. If many users report issues, you can roll back to the previous settings if necessary.

      Resources for Further Reading:

    Note: It is generated by AI

    Was this answer helpful?

    1 person found this answer helpful.

  2. AI answer

    2026-01-14T21:34:19.6133333+00:00

    To migrate from on-premises Active Directory (AD) authentication to cloud-only authentication with Microsoft Entra ID, follow these recommended steps to ensure a smooth transition without disrupting user sign-ins:

    1. Assess Current Authentication Methods: Determine which authentication methods are currently in use and decide on the appropriate methods needed for your organization in the cloud.
    2. Implement Password Hash Synchronization (PHS): This method allows users to authenticate against Microsoft Entra ID while maintaining their existing passwords. It can serve as a primary authentication method or as a failover option.
    3. Use Staged Rollout for Testing: Utilize Microsoft Entra Connect cloud authentication with Staged Rollout to control which users are migrated to cloud authentication first. This allows you to test authentication with selected user groups before a full rollout.
    4. Migrate Authentication Methods: Transition to passwordless methods if possible, such as Microsoft Authenticator or FIDO2 security keys. Ensure that users are familiar with these methods before the final migration.
    5. Remove On-Premises Dependencies: Once you have confirmed that users can authenticate successfully against Microsoft Entra ID, ensure that your on-premises AD FS farm is no longer used for authentication. This step is crucial to avoid any disruptions.
    6. Monitor and Support Users: After migration, monitor sign-in logs to identify any issues and provide support to users as they adjust to the new authentication methods.
    7. Finalize Migration: Once the migration is complete and users are successfully authenticating against Microsoft Entra ID, you can proceed to decommission any remaining on-premises authentication infrastructure.

    By following these steps, you can effectively migrate to cloud-only authentication while minimizing disruptions to user sign-ins.

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.